Initial wiki structure

docs/infrastructure/wikijs-auth.md

@@ -0,0 +1,36 @@
+# Wiki.js API Authentication & Security Strategy
+
+## 1. Authentication Method
+- **Token Type:** Permanent API Keys (Bearer Tokens)
+- **Generation:** Generated via the Wiki.js Administration Area -> API Keys
+- **Storage:** Stored as environment variables in the agent runtime environment (e.g., `WIKIJS_API_TOKEN`).
+
+## 2. Permission Scopes
+To maintain security, the API token used by agents will be restricted to the minimum necessary scopes:
+
+| Scope | Requirement | Justification |
+|-------|-------------|---------------|
+| `write:pages` | Mandatory | Allows agents to create and update content |
+| `read:pages` | Mandatory | Allows agents to check existing content before updates |
+| `write:assets` | Mandatory | Allows Agent G to upload images/files |
+| `read:assets` | Mandatory | Allows checking for existing assets |
+| `read:tags` | Optional | Allows metadata tagging |
+| `manage:system` | **Prohibited** | Agents must NOT have administrative system access |
+
+## 3. Token Rotation Policy
+- **Frequency:** Tokens should be rotated every 90 days.
+- **Process:**
+  1. Generate new token in Wiki.js.
+  2. Update environment variable in agent deployment (Komodo/Docker).
+  3. Verify connectivity.
+  4. Revoke old token.
+
+## 4. Write Access Control
+- **Human Editing:** All human accounts in Wiki.js will be assigned to a "Read-Only" group.
+- **Agent Editing:** Only the API account (associated with the token) will have write permissions.
+- **Emergency Bypass:** A single "Admin" account will be maintained for emergency manual intervention, protected by 2FA.
+
+## 5. Security Best Practices
+- **TLS:** All API calls MUST be made over HTTPS.
+- **IP Whitelisting:** If possible, Wiki.js should be configured to only accept API requests from the IP of the agent runner.
+- **Audit Logs:** Enable Wiki.js audit logging to track all changes made via the API token.